如果你未曾留意你的機器里有Cookie文件,可以按下列方法查看:打開IE,選擇“工具”菜單里的“Internet選項”,然后在彈出的對話框里點擊“設置”按鈕,在設置對話框里點擊“查看”鈕,就會打開一個窗口顯示瀏覽器放在硬盤里的所有緩存數據,其中就有大量的Cookie文件。
所以奉勸大家不要將敏感的用戶數據存放在Cookie中,要么就通過加密將這些數據保護起來。
在以前的ASP版本中沒有加密的功能,現在.NET構架在System.Security.Cryptography命名空間里提供了許多加密類可以利用。
一、.NET的密碼系統概要
簡單地說,加密就是將原始字符(字節)串轉變為完全不同的字符串的處理過程,達到原始字符無法破譯的目的。這個處理過程是用另一個字符串(稱為“密鑰”),采取復雜的、混合的算法,“搗進”原始字符串。有時還使用一個稱為“初始向量”的字符串,在密鑰搗進之前先打亂目標字符串,預防目標字符串中較明顯的內容被識破。加密的功效取決于所用密鑰的大小,密鑰越長,保密性越強。典型的密鑰長度有64位、128位、192位、256位和512位。攻擊者唯一的方法是創建一個程序嘗試每一個可能的密鑰組合,但64位密鑰也有72,057,594,037,927,936種組合。
目前有兩種加密方法:對稱加密(或稱私有密鑰)和非對稱加密(或稱公共密鑰)。對稱加密技術的數據交換兩邊(即加密方和解密方)必須使用一個保密的私有密鑰。非對稱加密技術中,解密方向加密方要求一個公共密鑰,加密方在建立一個公共密鑰給解密方后,用公共密鑰創建唯一的私有密鑰。加密方用私有密鑰加密送出的信息,對方用公共密鑰解密。保護HTTP傳輸安全的SSL就是使用非對稱技術。
我們對Cookie數據的加密采取對稱加密法。.NET構架從基本的SymmetricAlgorithm類擴展出來四種算法:
·System.Security.Cryptography.DES
·System.Security.Cryptography.TripleDES
·System.Security.Cryptography.RC2
·System.Security.Cryptography.Rijndael
下面將示范DES和TripleDES算法。DES的密鑰大小限制在64位,但用于Cookie的加密是有效的。TripleDES完成了三次加密,并有一個較大的密鑰位數,所以它更安全。使用那一種算法不僅要考慮加密強度,還要考慮Cookie的大小。因為加密后的Cookie數據將變大,并且,密鑰越大,加密后的數據就越大,然而Cookie數據的大小限制在4KB,這是一個必須考慮的問題。再者,加密的數據越多或算法越復雜,就會占有更多的服務器資源,進而減慢整個站點的訪問速度。
二、創建一個簡單的加密應用類
.NET的所有加密和解密通過CryptoStream類別來處理,它衍生自System.IO.Stream,將字符串作為以資料流為基礎的模型,供加密轉換之用。下面是一個簡單的加密應用類的代碼:
Imports System.Diagnostics
Imports System.Security.Cryptography
Imports System.Text
Imports System.IO
Public Class CryptoUtil
'隨機選8個字節既為密鑰也為初始向量
Private Shared KEY_64() As Byte = {42, 16, 93, 156, 78, 4, 218, 32}
Private Shared IV_64() As Byte = {55, 103, 246, 79, 36, 99, 167, 3}
'對TripleDES,采取24字節或192位的密鑰和初始向量
Private Shared KEY_192() As Byte = {42, 16, 93, 156, 78, 4, 218, 32, _
15, 167, 44, 80, 26, 250, 155, 112, _
2, 94, 11, 204, 119, 35, 184, 197}
Private Shared IV_192() As Byte = {55, 103, 246, 79, 36, 99, 167, 3, _
42, 5, 62, 83, 184, 7, 209, 13, _
145, 23, 200, 58, 173, 10, 121, 222}
'標準的DES加密
Public Shared Function Encrypt(ByVal value As String) As String
If value <> "" Then
Dim cryptoProvider As DESCryptoServiceProvider = _
New DESCryptoServiceProvider()
Dim ms As MemoryStream = New MemoryStream()
Dim cs As CryptoStream = _
New CryptoStream(ms, cryptoProvider.CreateEncryptor(KEY_64, IV_64), _
CryptoStreamMode.Write)
Dim sw As StreamWriter = New StreamWriter(cs)
sw.Write(value)
sw.Flush()
cs.FlushFinalBlock()
ms.Flush()
'再轉換為一個字符串
Return Convert.ToBase64String(ms.GetBuffer(), 0, ms.Length)
End If
End Function
'標準的DES解密
Public Shared Function Decrypt(ByVal value As String) As String
If value <> "" Then
Dim cryptoProvider As DESCryptoServiceProvider = _
New DESCryptoServiceProvider()
'從字符串轉換為字節組
Dim buffer As Byte() = Convert.FromBase64String(value)
Dim ms As MemoryStream = New MemoryStream(buffer)
Dim cs As CryptoStream = _
New CryptoStream(ms, cryptoProvider.CreateDecryptor(KEY_64, IV_64), _
CryptoStreamMode.Read)
Dim sr As StreamReader = New StreamReader(cs)
Return sr.ReadToEnd()
End If
End Function
'TRIPLE DES加密
Public Shared Function EncryptTripleDES(ByVal value As String) As String
If value <> "" Then
Dim cryptoProvider As TripleDESCryptoServiceProvider = _
New TripleDESCryptoServiceProvider()
Dim ms As MemoryStream = New MemoryStream()
Dim cs As CryptoStream = _
New CryptoStream(ms, cryptoProvider.CreateEncryptor(KEY_192, IV_192), _
CryptoStreamMode.Write)
Dim sw As StreamWriter = New StreamWriter(cs)
sw.Write(value)
sw.Flush()
cs.FlushFinalBlock()
ms.Flush()
'再轉換為一個字符串
Return Convert.ToBase64String(ms.GetBuffer(), 0, ms.Length)
End If
End Function
'TRIPLE DES解密
Public Shared Function DecryptTripleDES(ByVal value As String) As String
If value <> "" Then
Dim cryptoProvider As TripleDESCryptoServiceProvider = _
New TripleDESCryptoServiceProvider()
'從字符串轉換為字節組
Dim buffer As Byte() = Convert.FromBase64String(value)
Dim ms As MemoryStream = New MemoryStream(buffer)
Dim cs As CryptoStream = _
New CryptoStream(ms, cryptoProvider.CreateDecryptor(KEY_192, IV_192), _
CryptoStreamMode.Read)
Dim sr As StreamReader = New StreamReader(cs)
Return sr.ReadToEnd()
End If
End Function
End Class
上面我們將一組字節初始化為密鑰,并且使用的是數字常量,如果你在實際應用中也這樣做,這些字節一定要在0和255之間,這是一個字節允許的范圍值。
三、創建一個Cookie的應用類
下面我們就創建一個簡單的類,來設置和獲取Cookies。
Public Class CookieUtil
'設置COOKIE *****************************************************
'SetTripleDESEncryptedCookie (只針對密鑰和Cookie數據)
Public Shared Sub SetTripleDESEncryptedCookie(ByVal key As String, _
ByVal value As String)
key = CryptoUtil.EncryptTripleDES(key)
value = CryptoUtil.EncryptTripleDES(value)
SetCookie(key, value)
End Sub
'SetTripleDESEncryptedCookie (增加了Cookie數據的有效期參數)
Public Shared Sub SetTripleDESEncryptedCookie(ByVal key As String, _
ByVal value As String, ByVal expires As Date)
key = CryptoUtil.EncryptTripleDES(key)
value = CryptoUtil.EncryptTripleDES(value)
SetCookie(key, value, expires)
End Sub
'SetEncryptedCookie(只針對密鑰和Cookie數據)
Public Shared Sub SetEncryptedCookie(ByVal key As String, _
ByVal value As String)
key = CryptoUtil.Encrypt(key)
value = CryptoUtil.Encrypt(value)
SetCookie(key, value)
End Sub
'SetEncryptedCookie (增加了Cookie數據的有效期參數)
Public Shared Sub SetEncryptedCookie(ByVal key As String, _
ByVal value As String, ByVal expires As Date)
key = CryptoUtil.Encrypt(key)
value = CryptoUtil.Encrypt(value)
SetCookie(key, value, expires)
End Sub
'SetCookie (只針對密鑰和Cookie數據)
Public Shared Sub SetCookie(ByVal key As String, ByVal value As String)
'編碼部分
key = HttpContext.Current.Server.UrlEncode(key)
value = HttpContext.Current.Server.UrlEncode(value)
Dim cookie As HttpCookie
cookie = New HttpCookie(key, value)
SetCookie(cookie)
End Sub
'SetCookie(增加了Cookie數據的有效期參數)
Public Shared Sub SetCookie(ByVal key As String, _
ByVal value As String, ByVal expires As Date)
'編碼部分
key = HttpContext.Current.Server.UrlEncode(key)
value = HttpContext.Current.Server.UrlEncode(value)
Dim cookie As HttpCookie
cookie = New HttpCookie(key, value)
cookie.Expires = expires
SetCookie(cookie)
End Sub
'SetCookie (只針對HttpCookie)
Public Shared Sub SetCookie(ByVal cookie As HttpCookie)
HttpContext.Current.Response.Cookies.Set(cookie)
End Sub
'獲取COOKIE *****************************************************
Public Shared Function GetTripleDESEncryptedCookieValue(ByVal key As String) _
As String
'只對密鑰加密
key = CryptoUtil.EncryptTripleDES(key)
'獲取Cookie值
Dim value As String
value = GetCookieValue(key)
'解密Cookie值
value = CryptoUtil.DecryptTripleDES(value)
Return value
End Function
Public Shared Function GetEncryptedCookieValue(ByVal key As String) As String
'只對密鑰加密
key = CryptoUtil.Encrypt(key)
'獲取Cookie值
Dim value As String
value = GetCookieValue(key)
'解密Cookie值
value = CryptoUtil.Decrypt(value)
Return value
End Function
Public Shared Function GetCookie(ByVal key As String) As HttpCookie
'編碼密鑰
key = HttpContext.Current.Server.UrlEncode(key)
Return HttpContext.Current.Request.Cookies.Get(key)
End Function
Public Shared Function GetCookieValue(ByVal key As String) As String
Try
'編碼在GetCookie里完成
'獲取Cookie值
Dim value As String
value = GetCookie(key).Value
'解碼所存儲的值
value = HttpContext.Current.Server.UrlDecode(value)
Return value
Catch
End Try
End Function
End Class
上面的設置功能中,有些功能附加提供了Cookie有效期這個參數。不設置該參數,Cookie將只為瀏覽器會話才保存在內存中。為了設置永久的Cookie,就需要設置有效期參數。
上面我們對密鑰和Cookies值進行了編碼與解碼,其原因是Cookies與URLs有同樣的限制,字符“=”和“;”是保留的,不能使用。這在保存加密后的數據時尤其重要,因為加密算法將添加“=”,按所分配塊的大小來填滿該數據塊。
好了,你會保護Cookies數據了吧?
